Re: Received event for unconfigured/disabled/delet...

christianubeda · ‎05-08-2019

Hi team!

I have this error:

But the Indexter is here. What appends?

DavidHourani · ‎05-08-2019

Hi @christianubeda,

This errors means that the server receiving the logs does not have that index. It could be a historical message if you've just created the index but if that's not the case then you might have created the index on your search head whereas data is coming in to your indexers (where the index was supposed to be).

To fix this, go on your CM and make sure you deploy the new index configuration to the indexers as shown here in the docs: https://docs.splunk.com/Documentation/Splunk/7.2.6/Indexer/Configurethepeerindexes

Let me know if that helps,

Cheers,
David

jbmitchell · ‎06-16-2021

Hello, currently experience this error on the search head with a newly created index (created on the indexer). Does it take time for the indexer to show up on the search head?

koshyk · ‎05-08-2019

please check
1. if you get the errors from a single indexer (in a multi cluster system). if that's case, just check on that single indexer
2. Did permissions change on Unix filesystem?
3. How is the data collected? via UF directly to indexer?
4. Check your indexes.conf on the individual indexer to see everything is good. Do a restart of indexer too

Received event for unconfigured/disabled/deleted index=...

.conf24 | Day 0

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

Troubleshooting the OpenTelemetry Collector